VPN Tools and Settings

advertisement
VPN Tools and Settings
Updated: August 21, 2006
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1,
Windows Server 2003 with SP2
VPN Tools and Settings
In this section
Windows Server 2003 provides the following tools to troubleshoot VPN connections:

TCP/IP Troubleshooting Tools

Authentication and Accounting Logging

Event Logging

IAS Event Logging

PPP Logging

Tracing

Oakley Logging

Network Monitor
TCP/IP Troubleshooting Tools
The Ping, Tracert, and Pathping tools use ICMP Echo and Echo Reply messages to verify
connectivity, display the path to a destination, and test path integrity. The route print command
can be used to display the IP routing table. Alternately, on the VPN server, you can use the netsh
routing ip show rtmroutes command or the Routing and Remote Access snap-in. The Nslookup
tool can be used to troubleshoot DNS and name resolution issues.
Authentication and Accounting Logging
A VPN server running Windows Server 2003 supports the logging of authentication and
accounting information for remote access VPN connections in local logging files when Windows
authentication or Windows accounting is enabled. This logging is separate from the events
recorded in the system event log. You can use the information that is logged to track remote
access usage and authentication attempts. Authentication and accounting logging is especially
useful for troubleshooting remote access policy issues. For each authentication attempt, the name
of the remote access policy that either accepted or rejected the connection attempt is recorded.
Enable authentication and accounting logging from the Settings tab on the properties of the
Local File object in the Remote Access Logging folder in the Routing and Remote Access snapin (if the Routing and Remote Access service is configured for Windows authentication and
accounting) or the Internet Authentication Service snap-in (if the Routing and Remote Access
service is configured for RADIUS authentication and accounting and the RADIUS server is an
IAS server)
The authentication and accounting information is stored in a configurable log file or files stored
in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication
Service (IAS) or database-compatible format, meaning that any database program can read the
log file directly for analysis.
If the VPN server is configured for RADIUS authentication and accounting and the RADIUS
server is a computer running Windows Server 2003 and IAS, the authentication and accounting
logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.
IAS for Windows Server 2003 can also send authentication and accounting information to a
Structured Query Language (SQL) database.
Event Logging
On the Logging tab in the properties of a VPN server in the Routing and Remote Access snap-in,
there are four levels of logging. Select Log all events, and then try the connection again. After
the connection fails, check the system event log for events logged during the connection process.
After you are done viewing remote access events, select the Log errors and warnings option on
the Logging tab to conserve system resources.
IAS Event Logging
If your VPN servers are configured for RADIUS authentication and your RADIUS servers are
computers running Windows Server 2003 and IAS, check the system event log for IAS events
for rejected or accepted connection attempts. IAS system event log entries contain a lot of
information about the connection attempt including the name of the remote access policy that
accepted or rejected the connection attempt. IAS event logging for rejected or accepted
connection attempts is enabled by default and configured from the Service tab from the
properties of an IAS server in the Internet Authentication Service snap-in.
PPP logging
PPP logging records the series of programming functions and PPP control messages during a
PPP connection and is a valuable source of information when you are troubleshooting the failure
of a PPP connection. To enable PPP logging, select the Log additional Routing and Remote
Access information option on the Logging tab on the properties of a remote access server.
By default, the PPP log is stored as the Ppp.log file in the SystemRoot\Tracing folder.
Tracing
The Windows Server 2003 Routing and Remote Access service has an extensive tracing
capability that you can use to troubleshoot complex network problems. You can enable the
components in Windows Server 2003 to log tracing information to files using the Netsh
command or through the registry.
Enabling Tracing with Netsh
You can use the Netsh command to enable and disable tracing for specific components or for all
components.
To enable and disable tracing for a specific component, use the following syntax:
netsh ras set tracing Component enabled|disabled
where Component is a component in the list of Routing and Remote Access service components
found in the Windows Server 2003 registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing
for the RASAUTH component, the command is:
netsh ras set tracing rasauth enabled
To enable tracing for all components, use the following command:
netsh ras set tracing * enabled
Enabling Tracing Through the Registry
You can configure the tracing function by changing settings in the Windows Server 2003
registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
You can enable tracing for each Routing and Remote Access service component by setting the
registry values described later. You can enable and disable tracing for components while the
Routing and Remote Access service is running. Each component is capable of tracing and
appears as a subkey under the preceding registry key.
To enable tracing for each component, you can configure the following registry entries for each
protocol key:
EnableFileTracing REG_DWORD Flag
You can enable logging tracing information to a file by setting EnableFileTracing to 1. The
default value is 0.
FileDirectory REG_EXPAND_SZ Path
You can change the default location of the tracing files by setting FileDirectory to the path you
want. The file name for the log file is the name of the component for which tracing is enabled.
By default, log files are placed in the SystemRoot\Tracing folder.
FileTracingMask REG_DWORD LevelOfTracingInformationLogged
FileTracingMask determines how much tracing information is logged to the file. The default
value is 0xFFFF0000.
MaxFileSize REG_DWORD SizeOfLogFile
You can change the size of the log file by setting different values for MaxFileSize. The default
value is 0x10000 (64K).
Note
Tracing consumes system resources and should be used sparingly to help identify network
problems. After the trace is captured or the problem is identified, you should immediately disable
tracing. Do not leave tracing enabled on multiprocessor computers.
Note
Tracing information can be complex and very detailed. Most of the time this information is
useful only to Microsoft support professionals or to network administrators who are very
experienced with the Routing and Remote Access service. Tracing information can be saved as
files and sent to Microsoft support for analysis.
Oakley Logging
You can use the Oakley log to view details about the SA establishment process. The Oakley log
is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLo
gging registry setting to 1. The Oakley key does not exist by default and must be created.
After it is enabled, the Oakley log, which is stored in the SystemRoot\Debug folder, records all
IPSec SA negotiations. A new Oakley.log file is created each time the IPSec Policy Agent is
started and the previous version of the Oakley.log file is saved as Oakley.log.sav.
To activate the new EnableLogging registry setting after modifying its value, stop and start the
IPSec Policy Agent and related IPSec services by running the following sequence of commands:
1. Stop the Routing and Remote Access service using the net stop remoteaccess command.
2. Stop the IPSec services using the net stop policyagent command.
3. Start the IPSec services using the net start policyagent command.
4. Start the Routing and Remote Access service using the net start remoteaccess
command.
Network Monitor
Use Network Monitor, a packet capture and analysis tool supplied with Windows Server 2003, to
capture and view the traffic sent between a VPN server and VPN client during the VPN
connection process and during data transfer. You cannot interpret the encrypted portions of VPN
traffic with Network Monitor. Network Monitor is installed as an optional networking
component.
The proper interpretation of the remote access and VPN traffic with Network Monitor requires
an in-depth understanding of PPP, PPTP, IPSec, and other protocols. Network Monitor captures
can be saved as files and sent to Microsoft support for analysis.
Tags : Add a tag
Community Content
Add new content
help
Annotations
nathang09 | Edit
false
| Show History
Download